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Abstract — The problem of securing a network coding 
communication system against a wiretapper adversary is 
considered. The network implements linear network coding 
to deliver n packets from source to each receiver, and 
the wiretapper can eavesdrop on /i arbitrarily chosen 
links. A coding scheme is proposed that can achieve the 
maximum possible rate of k = n — fi packets that are 
information-theoretically secure from the adversary. A 
distinctive feature of our scheme is that it is universal: 
it can be applied on top of any communication network 
without requiring knowledge of or any modifications on 
the underfying network code. In fact, even a randomized 
network code can be used. Our approach is based on 
Rouayheb-Soljanin's formufation of a wiretap network as 
a generaiization of the Ozarow-Wyner wiretap channel 
of type II. Essentially, the linear MDS code in Ozarow- 
Wyner 's coset coding scheme is replaced by a maximum- 
rank-distance code over an extension of the field in which 
linear network coding operations are performed. 

I. Introduction 

The paradigm of network coding [l]-[3] has provided 
a rich source of new problems that generalize traditional 
problems in communications. One such problem, intro- 
duced in [4] by Cai and Yeung, is that of securing a 
multicast network against a wiretapper adversary. 

Formally, consider a multicast network with unit ca- 
pacity edges implementing linear network coding over 
the finite field ¥ q . Each link in the network is assumed 
to carry a packet of m symbols in ¥ q . We assume that 
the maxflow from source to each receiver is at least n 
and that the network code is feasible for the multicasting 
of n packets, that is, each receiver is able to recover 
the n packets originated at the source. Now, suppose 
there is a wiretapper that can listen to transmissions on 
/i arbitrarily chosen links of the network. The secure 
network coding problem is to design a network code and 
an outer encoder at the source such that a message can 
be transmitted from the source to each receiver without 
leaking any information to the wiretapper (i.e., security 
in the information-theoretic sense). 

The work of Cai and Yeung [4] shows that a solution 
to this problem exists if the message consists of at most 
k = n — \i packets and q is sufficiently large. Their 



solution involves changing the network code such that 
certain security conditions are met and requires a field 
of size at least ( ), where £ is the number of links in 
the network. Feldman et al. [5] simplified the conditions 
in [4] and showed that it is possible to achieve security 
by carefully designing the outer code, while leaving the 
network code unchanged. They also show that, if a linear 
outer code is used and the network topology is arbitrary, 
then there are instances of the problem where a very 
large field size is necessary to achieve capacity. 

Recently, Rouayheb and Soljanin [6] have shown that 
the problem of secure network coding can be regarded as 
a network generalization of the Ozarow-Wyner wiretap 
channel of type II [7], [8]. Their observation provides 
an important connection with a classical problem in 
information theory and yields a much more transparent 
framework for dealing with network coding security. 
In particular, they show that the same technique used 
to achieve capacity of the wiretap channel II — a coset 
coding scheme based on a linear MDS code — can also 
provide security for a wiretap network. Unfortunately, in 
their approach, the network code has to be modified to 
satisfy certain constraints imposed by the outer code. 

Note that, in all the previous works, either the network 
code has to be modified to provide security [4], [6], or 
the outer code has to be designed based on the specific 
network code used [5]. In all cases, the field size required 
is significantly larger than the minimum required for 
conventional multicasting. 

The present paper is motivated by Rouayheb and 
Soljanin's formulation of a wiretap network and builds 
on their results. Our main contribution is a coset coding 
scheme that neither imposes any constraints on, nor 
requires any knowledge of, the underlying network code. 
In other words, for any linear network code that is feasi- 
ble for multicast, secure communication at the maximum 
possible rate can be achieved with a fixed outer code. In 
particular, the field size can be chosen as the minimum 
required for multicasting. An important consequence of 
our result is that the problems of information transport — 
designing a feasible network code — and security against 



a wiretapper can be completely separated from each 
other. Such a feature of our scheme allows it to be 
seamlessly integrated with random network coding. 

The essence of our approach is to use a "nonlin- 
ear" outer code that is, however, linear over an ex- 
tension field ¥ q m. Taking advantage of this extension 
field, we can then replace the linear MDS code in 
Ozarow-Wyner coset coding scheme by a maximum- 
rank-distance (MRD) code, which is essentially a linear 
code over ¥ q m that is optimal in the rank metric. Codes 
in the rank metric were studied by a number of authors 
[9]— [12] and have been recently proposed for error 
control in random network coding [13], [14]. Here, we 
show that the fact that the wiretapper observes a linear 
transformation of the transmitted symbols is exactly what 
suggests the use of a rank-metric code. 

The remainder of the paper is organized as follows. In 
Section HI] we review the models of a wiretap channel II 
and a wiretap network, together with their corresponding 
security conditions. In Section [III] we review rank-metric 
codes and present our solution to the security problem 
in a wiretap network. In Section [IVJ we provide a brief 
discussion of our main result and, in Section [V] we 
present our conclusions. 

II. Wiretap Model 
A. Wiretap Channel II 

Consider a communication system consisting of a 
source, a destination and a wiretapper. The source pro- 
duces a message S = [Si S 2 ■■■ S k ] , where 
the symbols S\ , . . . , Sk are drawn from an alpha- 
bet F, and encodes this message as a vector X — 
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[Xi ■ ■ ■ X n ] , Xi e F, This vector is transmitted 
over a noiseless channel and received by the destina- 
tion. The wiretapper has access to [i symbols of X, 
represented as the vector W — (Xi, i G I), where 
I C {1, . . . , n}. The goal of the system is for the source 
to communicate the message to the destination in such 
a way that the wiretapper cannot obtain any information 
about S from any possible set of /i intercepted symbols. 
More precisely, the conditions for secure communication 
are 

H(S\X) = (1) 
H(S\W) = H(S), VZ: \I\ = fi. (2) 

Condition (fl~|i implies that S must be a deterministic 
function of X. The question is then how to design a 
(probabilistic) encoding of S into X such that conditions 
(HJ and (ffji are satisfied. 



Note that, by expanding H (S, X\W), we have 

H{S\W) = H(S\X, W) +H(X\W) - H(X\S, W) 
=o 

= H{X\W) - H{X\S,W) (3) 
< H(X\W) <n- fi 

so the maximum number of symbols that can be securely 
communicated is upper bounded by H(S) < n — fi. 

This maximum rate can be achieved by using Ozarow- 
Wyner coset coding scheme [8], which operates as 
follows. Assume F is a finite field of sufficiently large 
cardinality. Let k = n — fi and let C be an (n, fi) 
linear MDS code over F with parity-check matrix H. 
Encoding is performed by randomly choosing some 
X E C such that S = HX; in other words, each message 
is viewed as a syndrome specifying a coset of C, and 
the transmitted vector is chosen uniformly at random 
among the elements of that coset. Upon reception of 
X, decoding is performed by simply computing the 
syndrome S = HX. 

With respect to security, it is immediate that condition 
(fl~|l is satisfied in this scheme. Since C is a linear code, 
the probabilistic encoding ensures that H(X) = H(S) + 
H, and thus H(X\W) = H(X) - H{W) = H(S) + /x - 
H(W) > H(S). On the other hand, since C is an MDS 
code, knowledge of S and W is sufficient to determine 
X, so H(X\S, W) = 0. These two facts applied in OJ 
imply that condition (O is satisfied, and therefore secure 
communication can be achieved. 

B. Wiretap Networks 

Consider a communication network represented by a 
directed multigraph with unit capacity edges, a single 
source node and multiple destination nodes. The source 
node produces a message X = [Xi ■ ■ ■ X„] con- 
sisting of symbols from an alphabet F, and this message 
is requested by each of the destination nodes. Each link 
in the network is assumed to transport a symbol in F 
free of errors. When network coding is used, each node 
in the network produces symbols to be transmitted by 
performing arbitrary operations on the received symbols 
(or on the message symbols in the case of the source 
node). We say that the network code is feasible (and 
multicast communication is achieved) if each destination 
node is able to recover the source message. 

Let ¥ q be a finite field and assume that F is a 
vector space over ¥ q . In this case, an element of F may 
also be called a packet. When linear network coding is 
used, each packet transmitted by a node is an F g -linear 
combination of received (or message) packets. Let C be 
the minimum value of the mincut from the source node 
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to any destination node. It is a well-known result that a 
feasible linear network code exists if n < C and q is 
sufficiently large, but no feasible network code exists if 
n > C [l]-[3]. 

The wiretap problem of Section IH-AI can be gener- 
alized to the network scenario above by introducing a 
wiretapper who can eavesdrop on fi links, represented 
by the set X, and by assuming that the source message 
is given by S — [Si 5 2 • • • Sk] , Si G F, which is 
then encoded into X for transmission over the network. 
We assume that linear network coding is used, so the 
packets observed by the wiretapper can be represented as 
a vector W = BX, where B is an /i x n matrix over W q 
consisting of the global coding vectors associated with 
the edges in I. 

Assume that n < C, q is sufficiently large, and that a 
feasible network code is selected, i.e., each destination 
node is able to recover X. The conditions for secure 
communication remain the same as before, namely 

H(S\X) = (4) 
H(S\W) = H(S), VZ: \2\ = /i. (5) 

The question is then how to design an encoding from S 

to X and a feasible linear network code such that (0]i 

and (O are satisfied. 

Considering F = ¥ q , Rouayheb and Soljanin showed 

in [6] that secure communication is possible using the 

coset coding scheme of Sec. IH-AI if the network code is 

chosen to satisfy certain constraints. The development is 

similar to that of Sec. IH-AI where we choose k = n — /i 

and let H be the parity-check matrix of an (n, fi) linear 

MDS code over F. Equations © and H{X\W) > H(S) 

are automatically satisfied by coset encoding, but to 

satisfy H(X\S, W) = we must ensure that the matrix 
~ jj~ 

is nonsingular for all X such that B is full-rank. 

B 

(Note that the case where B is not full-rank reduces to 
a similar instance with a full-rank B and a smaller fi.) 
This condition is equivalent to constraining the network 
code such that no linear combination of fi = n — k or 
fewer coding vectors belongs to the space spanned by 
the rows of H. 

It follows from this result that secure multicast com- 
munication can be achieved in two steps: first, designing 
a coset coding scheme based on an MDS code, and then 
designing a linear network code so as to satisfy the above 
constraint. 

In the following, we show that this undesirable cou- 
pling between the coset coding scheme and the network 
code design can be avoided. 



III. Rank-Metric Codes for Wiretap 
Networks 

A. Rank-Metric Codes 

We first present a brief review of rank-metric codes. 

Let F™ xm be the set of all n x m matrices over ¥ q . 
A natural distance measure between elements X and Y 
of F™ x ™ is given by the rank distance dn(X, Y) = 
rank(y — X). As observed in [9], the rank distance is 
indeed a metric. 

A rank-metric code is a nonempty subset of F™ xm 
used in the context of the rank metric. The minimum 
rank distance of a rank-metric code is the minimum 
rank distance among all pairs of distinct codewords. The 
Singleton bound for the rank metric (see [12], [14] and 
references therein) states that every rank-metric code 
C Q F" Xm with minimum rank distance d must satisfy 

log 9 \C\ < max{n, m}(min{n, m} — d+ 1). 

Codes that achieve this bound are called maximum- rank- 
distance (MRD) codes. 

The usual way to construct rank-metric codes is via 
the correspondence between F q x TO and an extension field 
F q m. By fixing a basis for ¥ g m as an m-dimensional 
vector space over W q , any element of ¥ q m can be 
regarded as a row vector of length m over F g and, 
similarly, any column vector of length n over ¥ q m can be 
regarded as an n x m matrix over ¥ q . The rank of a vector 
X G ¥ qm is the rank of X as an n x m matrix over ¥ q , 
and the same applies for the rank distance. Under this 
correspondence, a rank-metric code in F" xm is simply 
a block code of length n over ¥ q ™ used in the context 
of the rank metric. 

It is useful to consider linear (n, k) codes over ¥ q ™ 
with minimum rank distance d. For such codes, the 
Singleton bound becomes 

d < min |l, — | (n - k) + 1. 

Note that the classical Singleton bound d < n — k + 1 
can be achieved only when n < m. For this case, a class 
of MRD codes with any specified k was described in [9] 
by Gabidulin. 

We now restate some results from [9] which relate the 
minimum rank distance of a linear code with properties 
of its parity-check matrix. To avoid confusion, the rank 
of a matrix H over F g ™ is denoted by rank 9 m H. 

Theorem 1: Let C be a linear (n, k) code over ¥ qm 
with parity-check matrix H. Then C has minimum rank 
distance d if and only if 

rank,™ HT = d - 1 
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for any full-rank matrix T € Fg X ' d ^ and 

rank,™ HT a < d 

for some full-rank matrix To € F™ . 

Corollary 2: Assume n < m. A linear (n, k) code 
over F g m with parity-check matrix H is an MRD code 
if and only if 

rank 9 m HT = n — k 
for any full-rank matrix T e jp™ x ("~ fc ) 

B. A Universal Coding Scheme for Wiretap Networks 

We now present our solution to the wiretap problem 
of Section III-BI Following [6], we use a coset coding 
scheme similar to that of Section III-A1 however, we set 
the symbol alphabet to be F = ¥ q m, while the field for 
the linear network coding operations remains F g . Note 
that, since coset encoding/decoding is performed only 
at source/destination nodes, setting F to be an extension 
field of F g does not interfere with the underlying network 
code. 

Let k = n — \i and let H be the parity-check matrix 
of a linear (n, p) code over F. Encoding and decoding 
of the source message S is performed as described in 
Section III-AI With respect to security, Rouayheb and 
Soljanin's analysis carries out unchanged, and we arrive 

at the same security condition: the matrix D must be 
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nonsingular for all T such that B e F^ XTl is full -rank. 
Note that, while H is defined over F — ¥ q m , the matrix 
B has only entries in ¥ q . This fact is the fundamental 
distinction of our approach and will allow us to satisfy 
the security condition regardless of the network code 
used. 

Our main result is a consequence of the following 
lemma. 

Lemma 3: Let H be the parity-check matrix of a 
linear MRD (n,p) code over ¥ q m. For any full-rank 
matrix B e F^ xn , the n x n matrix 



M 



is nonsingular over ¥ q -m . 

Proof: Consider the system of equations 



X = 



in the unknown X e F™, 



We will show that X = 
is the only solution to this system, which implies that 
rank„™ M = n. 



that 



First, choose some (n — /f) x n matrix D over ¥ q such 
~ B~ 

is nonsingular, and let X — DX. We have that 



D 



X = 



X = 



Moreover, if T is the (full-rank) matrix corresponding to 

'bV 1 



the last n — fi columns of 



D 



then X = TX. 



Now, = HX = HTX. By Corollary the (n - 
/i) x (n — /i) matrix HT is nonsingular over ¥ q m. Thus, 
we must have X = and hence X = 0. ■ 

The following theorem summarizes the results of this 
section. 

Theorem 4: Consider a multicast communication net- 
work that transports n packets of length m > n over 
F g , subject to the presence of a wiretapper who can 
eavesdrop on at most /i links. The maximum number 
of source packets that can be securely communicated 
to each destination, in such a way that the wiretapper 
obtains no information about the source packets, is n — /i. 
This rate can be achieved by using any feasible Fg-linear 
network code in conjunction with a fixed end-to-end 
coset coding scheme based on any linear MRD (n, fi) 
code over ¥ q ™ . 

The following example illustrates the above results. 

Example 1: Let q = 2, m = n = 3, fi = 2 and 
k = n — /i = 1. Let F = F 2 a be generated by a root of 
p{x) — x 3 + x + 1, which we denote by a. According to 
[9], one possible (n, fi) MRD code over ¥ q m has parity- 
check matrix H = [l a a 2 ] . 

To form X, we can choose X2,X% £ F,™ uniformly 
at random and set X\ to satisfy 



S = HX = X% + aX 2 



a 2 X 3 



Note that X can be transmitted over any network that 
uses a feasible linear network code. The specific network 
code used is irrelevant as long as each destination node 
is able to recover X. 

Now, suppose that the wiretapper intercepts W = 
BX, where 

"1 1" 
Oil' 



B 



Then 



W — B 



s- 



S + aX 2 -i 
X 2 

x 3 

x 2 ] 



a 2 X, 



4 



This is a linear system with 3 variables and 2 equa- 
tions over F g m. Note that, given S, there is exactly 
one solution for (X2,X^) for each value of W. Thus, 
Pr(W\S) = 1/8 2 , VS,W, from which follows that S 
and W are independent. 

IV. Discussion 

Theorem [4] shows that the problem of ensuring com- 
munication security against a wiretapper can be treated 
independently from that of multicasting information, in 
effect turning network coding design back into a much 
easier and already satisfactorily solved problem [15]. A 
byproduct of this result is that, to incorporate security, 
we no longer need to enlarge the field of network 
coding operations more than what is strictly required 
for multicasting — although the network does need to 
transport packets of size larger than a single element. In 
practice, packet lengths are much larger than n, at least 
10 times larger for typical parameters, so the constraint 
to > n is not really a concern. 

As pointed out in the previous section, encoding and 
decoding of the source message require operations to be 
performed in the extension field W q m. We mention that 
each encoding or decoding procedure can be performed 
in 0(k(n — k)) operations in ¥ g m by using a parity- 
check matrix H in systematic form. More precisely, if 
H = [I P] and X T = [X| X%\ , where X s has 
k rows, then S = HX = Xs + PXr, so S can be 
encoded by randomly generating Xr and then setting 
Xs = S — PXr. Encoding thus amounts essentially 
to a matrix multiplication over ¥ q m. Decoding can be 
performed similarly. 

It is worth to mention that our security scheme can be 
seamlessly integrated with random network coding. We 
simply require that each packet transports a header of 
length n containing the global coding vector associated 
with the packet; thus, the total packet length must be at 
least n + m symbols in ¥ q . Note that, since a random 
linear network code is feasible with high probability, the 
only parameter pertaining to the network that we need 
to estimate is the effective mincut C, in order to decide 
on n, k and the coset coding scheme. 

V. Conclusion 

We consider the problem of providing information- 
theoretic security in a communication network subject 
to the presence of a wiretapper. We propose a coset 
coding scheme similar to that of Ozarow-Wyner, but 
defined over the extension field F 9 ™. For this reason, 
we assume that packets of length to are transmitted 
rather than individual symbols. We show that transmis- 
sion at the maximum possible rate (the network secure 



capacity) is possible irrespectively of the underlying 
network code. As a consequence, the sub-problems of 
information transport and information security can be 
treated independently of each other: a feasible linear 
network code can be designed (perhaps, randomly) with 
only throughput in mind, while a fixed outer code can 
be used to provide security whenever it is needed. Our 
proposed scheme is based on MRD codes and can be 
efficiently encoded and decoded. 
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